30 September 2018

Trump Has a New Weapon to Cause ‘the Cyber’ Mayhem

The White House took a first step this week to fulfill President Donald Trump’s campaign pledge to launch “crippling, crippling” cyberattacks on adversaries to protect U.S. computer systems, unveiling a new strategy that will allow the United States to take the offensive in cyberspace. But experts warn that the new cyber strategy risks exposing the United States to blowback and turning the internet into a Wild West of hacking operations.

In rolling out the administration’s new “National Cyber Strategy,” National Security Advisor John Bolton said that Trump had removed restrictions on the use of offensive cyber-operations and replaced them with a more permissive legal regime that gives the Defense Department and other agencies greater authority to penetrate foreign networks to deter hacks on U.S. systems.

“Our hands are not tied as they were in the Obama administration,” Bolton said.

Bolton described the new authority as part of an effort to “create powerful deterrence structures that persuade the adversary not to strike in the first place.” Decision-making for launching some attacks will be moved down the chain of command; previously, offensive cyber-operations generally required the approval of the president. Those envisioned in the new policy will include both offensive and defensive actions, only some of which may be made public, Bolton said.

In a separate strategy document released this week, the Defense Department said it would “defend forward” U.S. networks by disrupting “malicious cyber activity at its source.”

The new policy comes amid intense scrutiny of the Trump administration’s efforts to deter foreign interference in the upcoming midterm elections. In 2016, Russian hackers affiliated with military and intelligence agencies hacked computers belonging to the Democratic Party, released stolen emails, and carried out a propaganda campaign to favor Trump’s chances. (Trump, as a candidate, poured skepticism on Russian responsibility but argued the United States should “be better than anybody else” at “the cyber.”)

But exactly how the Trump administration will use the newly unleashed offensive cyber-capability remains unclear, as the policy’s details remain classified. A spokesperson for the National Security Council declined to say at what point a U.S. cyberattack would require presidential approval.

Bolstering the country’s ability to operate offensively in cyberspace makes sense, as long as these capabilities aren’t used in isolation, said Michael Daniel, the top cybersecurity advisor in the Obama administration.

“More frequent use of offensive cyber-capabilities only make sense as part of a broader, coordinated foreign-policy strategy involving multiple elements of national power,” Daniel said.

“If the U.S. government does decide to significantly increase its offensive cyber-actions, it should think those operations through carefully and clearly embed them in a larger strategy for dealing with the particular target,” added Daniel, who now runs the Cyber Threat Alliance, an industry group.

One big concern with offensive cyberweapons is that they can cause collateral damage far beyond the original, intended target. In 2017, Russian operatives unleashed the NotPetya ransomware on the Ukrainian financial system, but the virulent worm spread around the world and caused billions of dollars in damage, shut down hospitals, and caused massive disruptions to global shipping and commerce.

Granting Defense Department officials the authority to launch retaliatory cyberattacks could risk turning the global internet into a “free-fire zone,” said Martin Libicki, a professor at the U.S. Naval Academy who has written extensively on deterrence in cyberspace.

For U.S. administrations seeking a way to strike back at adversaries, useful cyberweapons have been few and far between—and simply loosening the legal restrictions may not be the answer.

Under former President Barack Obama, National Security Council officials pressed government agencies for options to respond to widespread hacking and theft of intellectual property by foreign entities. The proposals that came back were often disappointing.

“In my experience, it has not been [U.S. government] deterrence policies that held back response but the inability of agencies to execute,” said Ari Schwartz, a former senior cybersecurity adviser in the Obama administration, now the managing director of cybersecurity services at the law firm Venable.

The apparent focus on the use of offensive cybertools has some lawmakers worried that it may invite painful retaliation. As one of the most wired global economies—reliant on the internet for Silicon Valley, energy generation, air traffic control, and more—the United States is a lot more vulnerable to cyberattacks than many of its potential adversaries.

“As the country with the most innovative economy in the world, we must also acknowledge the abiding interest of the United States in encouraging stability in this domain,” said Rep. Jim Langevin, a Rhode Island Democrat and a founder of the Congressional Cybersecurity Caucus.